Cyber Risk News

Councils Reported Over 700 Data Breaches in 2020

Info Security - Wed, 06/23/2021 - 08:26
Councils Reported Over 700 Data Breaches in 2020

Hundreds of councils across the UK suffered data breaches last year, according to new Freedom of Information (FOI) research from Redscan.

The managed security services provider used official FOI responses from over 60% of the country’s 398 local authorities to compile its new report, Disjointed and under-resourced: Cyber security across UK councils.

Extrapolating these results, Redscan estimated that there were over 700 breaches reported to data protection regulator the Information Commissioner’s Office (ICO) last year. The average number reported by county councils (4.6) was more than double that of the total figure (1.8).

The report also noted that those reporting the most breaches tended to be the largest councils.

On the face of it, things are improving: the 2020 figure for breached councils (704) was around 10% lower than 2019 estimates (786).

However, the threat to local government is still high, Redscan warned.

Some ten councils confirmed they had been victims of ransomware or had experienced breaches that disrupted their operations last year. One reported 29 breaches to the ICO in just a single year.

Although not broken down by breach type, many of the incidents organizations report to the ICO stem from employee negligence, such as emailing information to the wrong recipient or failing to BCC users.

That’s why the report called out staff training as a key area of scrutiny.

Around 40% of local authorities spent no money on this crucial area in 2020, while nearly half (45%) were found to employ no staff with recognized security qualifications.

An estimated £1.5 million was spent in total among UK councils on security awareness training, which amounts to just £1.58 per employee, Redscan claimed.

The firm’s CTO, Mark Nicholls, argued that there’s plenty of room for improvement for local authorities.

“Every council has thousands of citizens depending on its services daily. Going offline due to a cyber-attack can deny people access to these critical services,” he added.

“To minimize the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks. While our findings show that councils are taking some steps to achieve this, approaches vary widely and, in many cases, are not enough.”

Categories: Cyber Risk News

French Teens on Trial for Cyber-bullying

Info Security - Tue, 06/22/2021 - 18:58
French Teens on Trial for Cyber-bullying

France is trying more than a dozen teenagers in a new court set up in January specifically to hear cases concerning alleged online abuse and discrimination.

If convicted in the landmark two-day trial, the thirteen young people could be given suspended prison sentences of up to three years. 

The defendants are from a range of social and religious backgrounds. Charges levied against them include online harassment, making online death threats, and making online threats of rape. 

Some of the accused teenagers apologized for the comments they sent out into the digital world. Others denied being guilty of any crime. 

One defendant said his intentions when posting online had been to make people laugh and to attract more followers on social media. 

The trial is focused on comments made online two years ago by a then 16-year-old girl who has been identified publicly only by her first name, Mila.

Atheist Mila, who testified to the court, "I don't like any religion," used her Instagram and TikTok accounts to criticize Islam and the Quran. In France, freedom of expression is considered a fundamental right and blasphemy is not a crime.

Mila subsequently received more than 100,000 threatening messages, including death threats and rape threats, according to her lawyer, Richard Malka. She was also sent misogynist abuse and received hateful messages about her sexuality. 

The now 18-year-old Mila had to leave two schools over the abuse. She told the court she feels like she’s been “condemned to death” and cannot see a future for herself. 

Out of the thousands of abusive messages and comments, French police tracked down the 13 defendants currently on trial. 

One 22-year-old defendant identified only by his first name, Enzo, apologized to Mila in court for tweeting “you deserve to have your throat slit,” followed by a sexist epithet.

Another, known as Manfred, said he was “pretending to be a stalker to make people laugh" when he threatened to turn Mila into the next Samuel Paty. Paty was a teacher who was beheaded outside Paris in October after showing a class caricatures of the Prophet Muhammad.

"When I posted the tweet, I wasn’t thinking,” testified another defendant, 21-year-old university student Lauren, who tweeted about Mila: “Have her skull crushed, please.”

Categories: Cyber Risk News

NIST Publishes Ransomware Guidance

Info Security - Tue, 06/22/2021 - 18:23
NIST Publishes Ransomware Guidance

The National Institute of Standards and Technology (NIST) has published new draft guidance for organizations concerning ransomware attacks. 

The Cybersecurity Framework Profile for Ransomware Risk Management features advice on how to defend against the malware, what to do in the event of an attack, and how to recover from it. 

NIST's Ransomware Profile can be used by organizations that have already adopted the NIST Cybersecurity Framework and wish to improve their risk postures. It can also help any organization seeking to implement a risk management framework that deals with ransomware threats. 

Included in the Ransomware Profile are steps that can be followed to identify and prioritize opportunities for improving their ransomware resistance. Users will learn how to prevent ransomware attacks and how to manage ransomware risk effectively. 

Basic measures mentioned in the guidance include keeping computers fully patched, using antivirus software, blocking access to known ransomware sites, and only permitting authorized apps to be used. 

Organizations are also advised to ensure scans are automatically conducted on emails and flash drives, to restrict the use of personally owned devices, to limit the use of accounts with administrative privileges, and to avoid the use of personal apps.

Another defensive tactic against ransomware that the guidance advocates is conducting security awareness training to educate employees about the dangers of opening files sent from unknown sources or clicking on links. 

NIST says planning ahead will help organizations that do succumb to ransomware to recover faster. It advises creating an incident recovery plan, implementing a comprehensive backup and restoration strategy, and maintaining an up-to-date list of internal and external ransomware attack contacts.

NIST intends for the new draft guidance to be used in conjunction with the NIST Cybersecurity Framework, other NIST guidance, and guidance issued by the Department of Homeland Security and the Federal Bureau of Investigation.

Those who wish to comment on the new draft Ransomware Profile have until July 9 to send their feedback to the Institute. A revised copy will then be released and a second commentary period held before a final document is published.

Categories: Cyber Risk News

SEC Probes SolarWinds Breach Disclosure Failures

Info Security - Tue, 06/22/2021 - 17:25
SEC Probes SolarWinds Breach Disclosure Failures

The United States Securities and Exchange Commission (SEC) has launched a probe to determine whether some companies failed to disclose that they had been impacted by the 2020 hacking attack that compromised the SolarWinds Orion software supply chain.

The assault on SolarWinds was discovered and disclosed by researchers at FireEye in December. The advanced persistent threat (APT) group behind the attack was able to compromise nine government agencies, critical infrastructure, and hundreds of private-sector organizations.

Last month, SolarWinds CEO Sudhakar Ramakrishna revealed that the attackers may have accessed the company's system as early as January 2019. The company has said that as many as 18,000 of its customers were affected by the breach. 

The United Kingdom and the US have laid the blame for the hack at the door of Russia's Foreign Intelligence Service (SVR). Russia has denied any culpability for the attack.

Two people familiar with the SEC investigation told the news source Reuters that letters were sent out last week by the SEC to a number of investment firms and public issuers. In the missives, the Commission asked the entities to voluntarily state whether they had been victimized by the unprecedented SolarWinds hack and kept quiet about it. 

The anonymous sources also said that in addition to probing data breach disclosure failures, the SEC is seeking to determine whether the cybersecurity policies at certain companies were designed to protect customer data. 

A spokesperson for SolarWinds said in a statement: "Our top priority since learning of this unprecedented attack by a foreign government has been working closely with our customers to understand what occurred and remedy any issues."

The company added that it is "collaborating with government agencies in a transparent way."

Under United States securities law, companies are required to disclose material information that could affect their share prices, including data on breaches caused by cybersecurity incidents. 

If the entities that receive the SEC's letters reply by disclosing information about the breaches, they will avoid any enforcement actions linked to internal accounting control failures and historical failures, the sources said. 

They added that the SEC was considering creating new policies regarding the effect of cybersecurity issues on investors and markets.

Categories: Cyber Risk News

New Tool Launched to Remove Nude Images of Children Online

Info Security - Tue, 06/22/2021 - 11:17
New Tool Launched to Remove Nude Images of Children Online

A new online tool has been launched to help young people remove nude images of themselves that have been shared online.

The Report Remove tool, developed by Childline and the Internet Watch Foundation (IWF), enables any person under the age of 18 to report any nude image or video of them that has appeared on the internet. The IWF will assess the content, which will work to remove it if it is found to have broken the law. To do so, a digital fingerprint – a hash – will be created from the image and provided to tech platforms to enable them to prevent the image from being shared or uploaded online.

Any young person making a report should also receive feedback from the IWF via Childline within one working day.

The new tool has been created amid a surge in self-generated images this year, with the IWF revealing that reports of this nature have more than doubled from January to April 2021 compared to the same period last year, from 17,500 to 38,000. The sharing of sexual images online can have a particularly devastating impact on young people, leading to mental health issues and fears about how it may affect their future prospects.

There are a variety of reasons why young people self-generate sexual images or videos. Sometimes they are sent for fun to a boyfriend or girlfriend and are subsequently shared online without their consent. In other circumstances, young people are groomed online or blackmailed into generating this type of content.

Childline quoted a 14-year-old girl who had contacted them about her own experiences of this. She stated. “I don’t know what to do because this Instagram account keeps posting pictures of me and they keep saying they’re going to follow my friends so they can see them too. It all started after I shared naked pics with someone who I thought was a friend but it turned out to be a fake account. I just feel so hopeless and I don’t know how to make it stop.”

The Report Remove tool, which was first piloted in February 2020, provides an avenue for support for young people in this situation.

t has also been developed to ensure young people's use of the tool remains confidential – they do not need to provide their real name, and they can verify their age without revealing any other details by using Yoti’s digital identity platform. Additionally, Childline and IWF have coordinated with law enforcement to ensure children will not be unnecessarily visited by the police when they make a report.

Cormac Nolan, service head of Childline Online, pointed out how damaging sharing explicit content can be to children: “The impact of having a nude image shared on the internet cannot be underestimated and for many young people, it can leave them feeling extremely worried and unsure on what to do or who to turn to for support.

“That’s why Childline and the IWF have developed Report Remove to provide young people a simple, safe tool that they can use to try and help them regain control over what is happening and get this content erased.

“At Childline we also want to remind all young people that if they discover that a nude image of themselves has been shared online that they do not need to deal with this situation alone and that our Childline counsellors are always here to listen and help provide support."

Susie Hargreaves OBE, chief executive of the IWF, said: “When images of children and young people are taken and spread around the internet, they lose control. This is about giving them that control back.

“Once those images are out there, it can be an incredibly lonely place for victims, and it can seem hopeless. It can also be frightening, not knowing who may have access to these images.

“This tool is a world first. It will give young people the power, and the confidence, to reclaim these images and make sure they do not fall into the wrong hands online.”

Categories: Cyber Risk News

Fifth of Google Play Apps Violate Child Protection Law

Info Security - Tue, 06/22/2021 - 11:00
Fifth of Google Play Apps Violate Child Protection Law

One in five apps on Google Play designed for children appear to be breaking federal law, according to new research from Comparitech.

The consumer rights and comparison site analyzed the top 300 free and top 200 paid apps on the marketplace under the children and family categories and reviewed each listed privacy policy.

It found that one in five contravened the Children's Online Privacy Protection Act (COPPA), legislation which places a strict set of FTC-enforced requirements on websites and online services aimed specifically at the under-13s, or those that collect personal data on children.

Of the 20% of Google Play-listed apps found to be violating COPPA, half were collecting personal information from children without the required child-specific privacy policy in place, according to Comparitech.

A further 27% claimed not to be aimed at children, despite being listed under the “Everyone” age limit on Google Play. Two of these were explicitly aimed at those under 10, the report claimed.

Some 9% of the erring apps did not collect children’s data themselves but worked with third parties that might. Therefore, a child-specific policy section and parental consent are required.

The same number (9%) tried to place responsibility on children and parents, either by asking kids not to submit their personal info to the app or parents to monitor their child’s app usage. Both apparently violated COPPA.

The final 6% had crucial gaps in their policies, such as failing to explain how a parent can consent or access their child’s data or featuring a privacy policy lacking clarity in some areas.

Unfortunately, half of the apps listed in the research that violate COPPA have been awarded a Google Play “teacher approved” badge.

“Two hundred and seventy-four of the apps we reviewed had received this teacher-approved tick and 50 of these (18%) were found to be in violation of COPPA guidelines,” Comparitech explained in a blog post.

“This means the apps and their privacy policies have been through two layers of review and have still passed quality control despite being in breach of COPPA’s standards.”

Most of the info collected by the rogue apps came in the form of IP addresses (42%), followed by online contact information (16%), name (12%), address (7%), telephone number (7%) and other details.

Legally it remains unclear whether the app developers alone or Google would be liable under COPPA for any infractions.

Back in 2019, Google and YouTube agreed to pay the FTC $170 million to settle a case under COPPA that they collected personal information from viewers of child-oriented channels without asking parents first.

Categories: Cyber Risk News

Ransomware Payments Could Be Tax Deductible - Report

Info Security - Tue, 06/22/2021 - 10:36
Ransomware Payments Could Be Tax Deductible - Report

US organizations that choose to pay a ransom to their online extorters may be eligible to claim the money back from the Internal Revenue Service (IRS), it has emerged.

A report from The Associated Press over the weekend cited tax lawyers and accountants who claimed the little-known clause could be a “silver lining” for ransomware victims.

However, the deduction could also be seen as a further corporate incentive to pay up, encouraging more affiliate groups to join the race to pilfer money from big-name multinationals.

It also flies in the face of official US government guidance, repeated many times by FBI boss Christopher Wray and others, that organizations should not pay any ransom.

Nikos Mantas, an incident response expert at Obrela Security Industries, argued that this tax oversight “will not last long.”

“Ransomware attacks are growing in severity and frequency today, so until now, it is unlikely the IRS had to specifically mention them in their guidance,” he told Infosecurity.

“However, as more and more companies fall victim, they will have to be taken into account. It seems unlikely the IRS will say payments will be tax-deductible as this could be seen as funding a criminal industry.”

IRS spokesperson Robyn Walker, told AP: “The IRS is aware of this and looking into it."

The Biden administration has signaled its intent to take a hard line on ransomware actors in the wake of attacks on Colonial Pipeline and JBS USA that exposed the fragility of key supply chains.

However, aside from the creation of a DoJ Ransomware and Digital Extortion Task Force and a letter sent to corporate bosses from the National Security Council’s top cyber official, it’s unclear what this will entail.

Some criminal organizations like the infamous Evil Corp are on a US sanctions blacklist, which prevents victims from paying them. However, even here, there have been various attempts to skirt the laws.

Global organizations already have a major incentive to pay their ransomware extorters in the form of cyber-insurance policies that cover such losses or a large part of them. However, things may be changing here too: AXA recently declared it would no longer reimburse clients for these payments in France.

Categories: Cyber Risk News

Three-Quarters of SMBs Can't Repel Cyber-Attacks

Info Security - Tue, 06/22/2021 - 08:28
Three-Quarters of SMBs Can't Repel Cyber-Attacks

Millions of the UK’s small businesses aren’t confident they can withstand a cyber-attack, with resources frequently diverted to other areas, according to new research from Arctic Wolf.

The security operations vendor polled over 500 decision-makers in the UK working at firms with fewer than 250 employees to better understand their cyber challenges.

It found that three-quarters (73%) believe their organization lacks the in-house expertise and capabilities to defend against cyber-attacks. The figure could amount to as many as 4.5 million of the UK’s SMBs, the vendor claimed.

More than half (55%) of respondents said cybersecurity issues are regularly deprioritized in favor of other business goals.

This is having a major impact on security operations (SecOps): two-fifths (39%) of respondents said their teams are overwhelmed by security alerts and a similar number (34%) don’t have time to investigate every alert.

The findings chime with a recent Trend Micro study that revealed that over half of SecOps teams in global organizations are drowning in alerts and 55% aren’t confident in prioritizing and responding to them.

As a result, 70% admitted feeling emotionally distressed by the continuous pressure. This can impact both productivity and staff churn at a time when it’s already difficult to fill key security analyst positions.

Christina Richmond, program vice president, security services, at IDC, argued that SMBs should consider outsourcing such capabilities to cloud-hosted security service providers.

“Cyber-attacks, such as ransomware, are growing more advanced by the day, and organizations that fall victim are experiencing not only short-term financial and operational impacts, but also long-term impacts from customers and partners losing their trust,” she explained.

“Being able to identify and mitigate cybersecurity risk has become an essential function for all organizations, but finding the talent, tuning the tools, and developing the internal process is a significant challenge for even the largest, well-resourced organizations.”

Categories: Cyber Risk News

California Cops Launch ALPR Transparency Portal

Info Security - Mon, 06/21/2021 - 18:54
California Cops Launch ALPR Transparency Portal

Police in California are sharing information on their usage of Automated License Plate Recognition (ALPR) technology in a unique stab at transparency. 

The Piedmont Police Department (PPD) in Alameda County is the first to launch a public ALPR Transparency Portal that reveals information on their technology policies, practices, and usage to the public.

Via the Portal, the department can communicate directly with the communities it serves. Citizens can use the system to access stats on the PPD's ALPR usage, data retention, and access policies.

The data is supplied through anonymized audit logs, with the aim of allowing for transparency and accountability without compromising privacy.

Data displayed includes the number of cameras the agency owns, the number of vehicles captured using ALPR, and other law enforcement agencies that the PPD shares its data with. The portal also shows the number of Hot List alerts and how many searches have been performed in the previous 30 days. 

“The Piedmont Police Department strives to provide transparency on all police activities, policies, and practices, and Flock Safety’s Transparency Portal is another positive step in that direction,” said Piedmont Police chief Jeremy Bowers. 

“We recognize that the public has a right and responsibility to understand how the officers who are sworn to protect and serve them do their jobs." 

He added: "The opportunity to be the launching agency partner on this first-of-its-kind program underscores our deep commitment to openness, accountability, and integrity.”

The Transparency Portal public safety operating system was created by Flock Safety, which provides the Piedmont Police’s ALPR camera system. 

Flock Safety, which operates in 40 states and more than a thousand cities in America, provides hardware and software solutions aimed at solving and reducing crime. It currently works with over 600 local law enforcement agencies in the United States.

“We place privacy, transparency, and bias mitigation at the forefront of our product development and are constantly engineering new features that encourage and align with our ethical principles," said Matt Feury, Flock Safety co-founder and CTO. 

"We’re excited for the Transparency Portal to serve as another tool that our law enforcement partners can use to strengthen ties with their communities.”

Categories: Cyber Risk News

Ohio Medicaid Provider Suffers Data Breach

Info Security - Mon, 06/21/2021 - 18:33
Ohio Medicaid Provider Suffers Data Breach

A security incident at an Ohio Medicaid provider last month may have resulted in the theft of personal data.

On Monday, the Ohio Department of Medicaid warned that an unknown party had accessed data in the care of Maximus for two days in May without authorization. 

Maximus was hired by the department to carry out data management. The company employs about 30,000 workers worldwide, with approximately 10,000 of those employees working at 11 call centers in nine states in the United States.

Information exposed in the incident included names, dates of birth and Social Security numbers belonging to the state's Medicaid providers. Maximus said the breached data could have been stolen. 

Data concerning Medicaid patients or beneficiaries was not affected by the security incident, which occurred from May 17 to May 19, when it was detected by Maximus. 

The company said that "because the unauthorized activity was detected at a very early stage, Maximus believes our quick response limited potentially adverse impacts."

The hacker accessed the information via an application. Once the intrusion had been detected, Maximus took the breached app offline and contacted law enforcement. 

An investigation into the data breach was launched and is being monitored by the Medicaid department. 

Individuals who were impacted by the incident are being offered two years of free credit monitoring services. 

In May 2018, Maximus notified thousands of patients of a data breach caused by a printing error. The error resulted in some participants in Medicaid and the Children’s Health Insurance Program (CHIP) receiving part of a letter meant for another participant. 

The error impacted letters prepared and mailed by the data company's print vendor, Business Ink, between February 10 and February 13, 2018. By accidentally mismatching one page of a six-page letter, Business Ink exposed names, addresses, group and case numbers, and program types.

Maximus was founded in 1975 and has offices in nine countries. It is the leading administrator of Medicaid enrollment broker services in the United States and answers more than seven million calls per month at its contact centers.

Categories: Cyber Risk News

Finger Scanning Costs Six Flags $36m

Info Security - Mon, 06/21/2021 - 17:57
Finger Scanning Costs Six Flags $36m

Theme park operator Six Flags Great America has agreed to pay $36m to settle a class-action lawsuit concerning the gathering and collection of its customers' biometric data.

Filed in Lake County, Illinois, the lawsuit alleges that the use of finger-scanning equipment used at Six Flags entry gates violated the Prairie State's Biometric Privacy Act.

The act regulates how companies collect and use an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Under the law, which was passed in 2008, a company must obtain an individual's written consent before gathering and storing their biometric data. 

A company that violates the law must pay damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

Lead plaintiff in the case against the amusement park operator, Stacy Rosenbach, sued the Gurnee branch of Six Flags in 2016 on behalf of her son, Alexander. Rosenbach said her son had supplied his fingerprint to gain access to the park, without first consenting to the collection and storage of his biometric information.

The case landed in the Illinois Supreme Court, where Six Flags argued that no injury had been done to Rosenbach's son, because the biometric data had not been exposed or stolen. 

However, the Court ruled in 2019 that for an individual to qualify as an "aggrieved" person under the Biometric Privacy Act and be entitled to relief and damages, that individual "need not allege some actual injury or adverse effect, beyond violation of his or her rights.”

After a period of mediation, a settlement was proposed that entitles people who first had their finger scanned when entering Six Flags Great America between October 1, 2013, and April 30, 2016, to receive up to $200. People who first had their finger scanned when entering the park between May 1, 2016, and December 31, 2018, could receive up to $60.

Under the agreement, Six Flags, which is headquartered in Arlington, Texas, does not accept any liability or admit any fault. The agreement is provisional and scheduled to be approved at a court hearing in October.

Categories: Cyber Risk News

UK Parliamentary Staffers Lost 96 Devices in Past Two Years

Info Security - Mon, 06/21/2021 - 10:53
UK Parliamentary Staffers Lost 96 Devices in Past Two Years

Close to 100 electronic devices have been lost by Parliamentary staffers in the UK during the last two years, raising fears that sensitive public data has fallen into the hands of malicious actors.

The official data obtained by Parliament Street think tank under Freedom of Information (FOI) legislation revealed that a total of 96 laptops, tablet computers and other electronic gadgets were reported missing by Parliamentary staffers in the calendar years of 2019 and 2020.

The majority of the device loss incidents occurred in 2019, at 53, with the remaining 43 taking place in 2020. Of the 96 lost or stolen devices, 41 were laptops, 36 were tablets, and the reminder included 11 phones and six skype headsets.

Of the 76 devices reported as lost, 11 were on trains, three on a bus, six in a car and even one in a pub.

Of the 20 devices that were stolen, four were from home addresses, one in a hotel and one on the London Underground.

Worryingly, just 18 of the total number of devices reported missing were subsequently located and found.

Edward Blake, area vice president EMEA of Absolute Software, commented on how dangerous losing such devices are. He highlighted that “Devices used to carry out parliamentary duties will contain a goldmine of confidential data that could be lethal if it fell into the hands of cyber-criminals. It’s critical that parliamentary authorities have the necessary systems in place to track missing devices, enabling them to freeze and wipe lost or stolen laptops, protecting public data from fraudsters.

“If a lost laptop ends up in the wrong hands, the organization in question could be facing a far more costly predicament than first anticipated. Sophisticated cyber-criminals can steal the data contained on these devices, access more businesses files, or intercept emails between colleagues, all with relative ease once a device has been compromised.

“Therefore, it is more critical than ever to have a permanent digital connection to every endpoint, as well as the ability to lock, freeze or wipe the device if it is at risk of being compromised.”

Several examples of device loss are prevalent in several major public bodies in the UK. Earlier this year, official figures were published showing that the Department for Business, Energy and Industrial Strategy lost 306 mobile and laptop devices across the calendar years of 2019 and 2020.

Categories: Cyber Risk News

Amazon Prime Day - Beware of Phishing Deluge, Experts Warn

Info Security - Mon, 06/21/2021 - 09:17
Amazon Prime Day - Beware of Phishing Deluge, Experts Warn

Security experts have warned online shoppers to beware of scam emails and texts over the next couple of days as the Amazon Prime Day e-commerce bonanza gets underway.

The 48-hour sales event for Prime subscribers is said to be an even bigger money-maker for Amazon than Black Friday and Cyber Monday combined.

However, where there is money and consumers, cyber-criminals are usually not far away, warned Charles Brook, a threat intelligence researcher at Tessian.

“The most common tactic will be for scammers to impersonate Amazon in phishing emails, luring consumers with ‘too good to be true’ deals or prize offerings to encourage them into clicking malicious links or entering their details into fake websites,” he explained.

Tessian detected a 133% increase in phishing emails related to Amazon Prime Day or Amazon Store on the second day of the event last year, compared to a normal daily average for the month.

“Another common technique is to impersonate logistics or delivery companies in text message scams, asking consumers to click a link to confirm delivery details, track orders or reroute packages,” continued Brook.

“If you’ve just bought something in the sales, it wouldn’t seem unusual to receive a message like this. But these scams are designed to harvest financial information or account credentials which can be used to access other online accounts.”

The scams may continue even after the event itself has wound down, Tessian warned.

On October 15, 2020, the day after the Prime Day sales last year, Tessian saw a 160% increase in the number of phishing emails citing “Amazon” and “Amazon Prime Day” compared to the daily average for October 2020, Tessian said.

Subject lines tended to include order confirmations, invoices, package delivery updates and messages from ‘customer support.’

Tessian urged shoppers not to click on Prime Day links in unsolicited emails and double-check senders’ email addresses rather than their display names.

“Scammers take advantage of the fact that, on mobile, emails only show a display name which makes it easier for a bad actor to impersonate Amazon and send a message from an unknown email address,” it said.

Consumers should also refrain from clicking on unsolicited text message links, checking first with the company that sent them. Spelling and grammatical mistakes and deals which seem too good to be true are also tell-tale signs of potential fraud.

Categories: Cyber Risk News

Over 30,000 Fertility Clinic Patients Hit by Ransomware Data Breach

Info Security - Mon, 06/21/2021 - 08:53
Over 30,000 Fertility Clinic Patients Hit by Ransomware Data Breach

Tens of thousands of patients at a US fertility clinic have had sensitive personal and medical information stolen in a ransomware attack.

Reproductive Biology Associates (RBA) was the first organization of its kind to offer IVF in the US state of Georgia and is the founding partner of the nationwide fertility clinic network My Egg Bank.

In a new breach notification, RBA claimed to have first become aware of a cyber-incident on April 16 this year, when it discovered that a file server containing embryology data had been encrypted.

"We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day. Based on our investigation, we believe the actor first gained access to our system on April 7, 2021 and subsequently to a server containing protected health information on April 10, 2021,” it continued.

“In the course of our ongoing investigation of the incident, on June 7, 2021 we determined the individuals whose personal information was affected. Access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.”

It said that 38,000 patients were exposed in the incident, with full names, addresses, Social Security numbers, lab results and “information related to the handling of human tissue” potentially impacted.

RBA said it also conducted web searches to check if any of the stolen information was being discussed or traded online and so far had no indication of such activity.

However, history tells us that ransomware threat actors often don’t keep their word regarding stolen data.

A report from November 2020 claimed that some affiliates are starting to publish data even after ransom payments and/or demanding a second payment be paid to prevent publication.

“Paying a threat actor not to leak stolen data provides almost no benefit to the victim,” warned report author Coveware.

Categories: Cyber Risk News

Nuclear Research Institute Breached by Suspected North Korean Hackers

Info Security - Mon, 06/21/2021 - 08:25
Nuclear Research Institute Breached by Suspected North Korean Hackers

A South Korean nuclear power research organization has admitted it’s currently investigating a security breach after reports suggested its neighbor to the north may be responsible.  

Lawmaker Ha Tae-keung, who sits on the parliamentary intelligence committee, cited third-party research attributing the May 14 attack to Pyeongyang-backed APT group Kimsuky.

One of 13 IP addresses used to attack the Korea Atomic Energy Research Institute (KAERI) was traced back to the group, which has been in operation since around 2012, according to Reuters.

“The incident could pose serious security risks if any core information was leaked to North Korea, as KAERI is the country's largest think tank studying nuclear technology including reactors and fuel rods,” Ha reportedly said in a statement.

KAERI issued a response on Friday admitting that some systems had been breached by an “unidentified outsider” via a VPN vulnerability. It subsequently blocked the malicious IP address and patched the bug.

“Currently, the Atomic Energy Research Institute is investigating the subject of the hacking and the amount of damage, etc., in conjunction with related organizations,” KAERI added.

The institute said that an earlier statement denying any hacking incident was issued in error, and it apologized for any concern caused to the public by the breach.

North Korea is thought to be well on its way to developing nuclear weapons-grade plutonium after talks led by the US hit a wall in 2019.

According to the US authorities, Kimsuky has been gathering intelligence for the North Korean regime for nearly a decade, focusing on foreign policy and national security issues, including sanctions and nuclear weapons.

In the past, it has been blamed for attacks on organizations including China’s Sejong Institute, the Korea Institute for Defense Analyses (KIDA), and South Korea’s Ministry of Unification.

Categories: Cyber Risk News

Texan Admits Data Center Bomb Plot

Info Security - Fri, 06/18/2021 - 17:29
Texan Admits Data Center Bomb Plot

A man from Texas could be facing up to 20 years in prison after pleading guilty to plotting to blow up a data center in Virginia.

Seth Aaron Pendley, of Wichita Falls, was arrested in April after trying to purchase what he believed to be an explosive device from an undercover FBI employee in Fort Worth.

The 28-year-old admitted that he had planned to use the device to destroy servers in an Amazon-owned data center located on Smith Switch Road in Ashburn, Virginia. 

According to his plea documents, Pendley shared the details of his plot with a source via an encrypted messaging app last February. 

When the source offered to help the would-be bomber obtain C4 plastic explosives, Pendley responded with the message: “F*** yeah.”

Pendley sent the source a list of data center addresses and said he hoped a successful attack would “kill off 70% of the internet.”

Pendley then showed the source a hand-drawn map of a data center in Ashburn that included details of how he intended to enter and exit the site. The source also heard how Pendley planned to disguise his car to escape detection by law enforcement.

In March, the source introduced the unsuspecting Pendley to an undercover FBI employee posing as an explosives supplier. Pendley was recorded telling that FBI employee that he wanted to blow up Amazon web servers. 

Pendley said he thought that the servers in the data center benefited the FBI, CIA and other federal agencies. By destroying the servers, Pendley hoped to prevent the United States from being taken over by a tyrannical Marxist government.

On April 8, Pendley was arrested after meeting with the FBI employee to collect inert devices that Pendley believed to be real explosives. At his residence, cops found an AR-15 receiver with a sawed-off barrel, a pistol painted to look like a toy gun, masks, wigs, and notes and flashcards related to the planned attack.

On June 9, Pendley pleaded guilty to a malicious attempt to destroy a building with an explosive. He is due to be sentenced on October 1. 

Federal authorities said Pendley was apolitical until he lost his job and began researching politics on the internet.

Categories: Cyber Risk News

New Jersey Councilor Charged with Cyber-harassment

Info Security - Fri, 06/18/2021 - 16:25
New Jersey Councilor Charged with Cyber-harassment

A councilor from New Jersey has been arrested and charged with waging a campaign of cyber-harassment against a former girlfriend. 

Detectives from the Cape May County Prosecutor's Office, with the assistance of detectives from the Middle Township Police Department, launched an investigation into the activities of 43-year-old realtor and Cape May councilman Christopher Bezaire in May 2021 after allegations of cyber-abuse were made. 

Bezaire, who is the president of the Cape May County Board of Realtors, was taken into custody on Wednesday afternoon. Law enforcement officers then exercised search warrants at the realtor's home address and at his workplace. 

Law enforcement officers have not released any comments on what, if any, evidence was discovered during the searches. 

Following the investigation, Bezaire was charged with invasion of privacy in the third degree, cyber-harassment in the fourth degree, and stalking in the fourth degree. He was also charged with contempt of court in the fourth degree. 

After being notified of the charges against him, Bezaire was placed at the Cape May County Correctional Facility to await court proceedings. 

News of Bezaire's arrest was announced on June 16 by Cape May County prosecutor Jeffrey Sutherland and Chief Paul Skill of the Cape May County Prosecutor's Office.

According to Sutherland, individuals convicted of third-degree crimes can receive a sentence of three to five years in New Jersey State Prison. Fourth-degree crimes can carry a sentence of up to eighteen months in state prison.

The prosecutor urged anyone who has any information relating to this investigation to contact the Cape May County Prosecutor’s Office, High Technology Crimes Unit.

Allegations of harassment and stalking have been made against Bezaire on social media, with posts on Facebook and under the heading “Impeach Chris Bezaire of Cape May.”

Bezaire was elected to the council in 2020. Mayor Zack Mullock told the Press of Atlantic City that the city would not take any action to remove Councilman Bezaire from office unless he is convicted.

“All parties involved are entitled to due process, and that process still has to play itself out," said Mullock.

Categories: Cyber Risk News

Colorado Passes New Privacy Act

Info Security - Fri, 06/18/2021 - 15:49
Colorado Passes New Privacy Act

The Centennial State has unanimously passed a new data privacy act to safeguard Coloradoans' personal information.

On June 8, the state Senate approved the Colorado Privacy Act after a series of revisions were made. The Act is due to take effect on July 1, 2023, and now awaits the signature of state governor Jared Polis. 

Should the Act become law, Colorado will follow California and Virginia by enacting comprehensive privacy legislation.

The Act gives consumers who reside in Colorado five key rights over their personal data. Firstly, they have the right to opt out of the sale of their personal data, the processing of personal data for targeted advertising purposes, and automated profiling in furtherance of decisions that produce legal or similarly significant effects.

They also have the right to access their personal data held by a data controller and the right to make corrections to their personal data if inaccuracies are identified.

Finally, they have the right to be provided with their data in a portable and ready to use format, and the right to have their personal data erased.

The new Act will apply to all data controllers operating businesses in Colorado that process or control the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers.

Under the new law, entities will have specific responsibilities pertaining to how they collect and process data.  Consumers must be informed about why their personal data is being collected and must be notified if their data is sold or used for targeted advertising.

Data controllers must limit their data collection, only gathering the information they need to serve their stated purpose. And the data they collect must be secured to prevent unauthorized access.

Sensitive information, such as data on ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship status, genetic/biometric data, and the personal data of minors, cannot be collected and processed unless consumers provide their consent through an opt-in process.

Categories: Cyber Risk News

Google Spices Up Supply China Security with SLSA Framework

Info Security - Fri, 06/18/2021 - 09:32
Google Spices Up Supply China Security with SLSA Framework

Google has proposed a new framework to mitigate the growing risks posed by attacks on the software supply chain.

The Supply Chain Levels for Software Artifacts (SLSA, pronounced “salsa”) is designed to ensure the integrity of software artifacts across the entire supply chain.

It’s based on Google’s own Binary Authorization for Borg framework, which the tech giant has been using as standard for all its production workloads for over eight years.

“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats,” Google explained. “With SLSA, consumers can make informed choices about the security posture of the software they consume.”

A typical software supply chain features multiple weak points and dependencies where attackers could strike — from the source repository and control platforms to the build and package phases.

The SolarWinds attackers that managed to compromise nine US government agencies compromised the build platform and installed an implant that injected malicious behavior during each build, for example.

In another recent supply chain attack affecting US firm Codecov, attackers used leaked credentials to upload a malicious artifact that was not built by the company’s CI/CD system. Users unwittingly downloaded this directly from its Google Cloud Storage bucket.

SLSA would have helped prevent both by requiring more robust security controls for the SolarWinds build platform and flagging the malicious artifact to Codecov, Google claimed.

It described SLSA as a “set of incrementally adoptable security guidelines” with four levels designed to go beyond best practice approaches.

“It will support the automatic creation of auditable metadata that can be fed into policy engines to give ‘SLSA certification’ to a particular package or build platform. SLSA is designed to be incremental and actionable, and to provide security benefits at every step,” Google explained.

“Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source — something that is difficult, if not impossible, to do with most software today.”

Categories: Cyber Risk News

Infosecurity Europe 2021 Postpones Live Event

Info Security - Fri, 06/18/2021 - 09:29
Infosecurity Europe 2021 Postpones Live Event

Infosecurity Europe has announced that it is postponing the live event due to run at London Olympia in July, following the government’s delay in lifting the final COVID-19 restrictions.

Infosecurity Europe will instead deliver a virtual exhibition and conference from 13-15 July 2021, the original dates of the event. The in-person event will now be held in 2022.

The plan, before government restriction lifting was delayed, was to combine both live and online elements of Infosecurity Europe. The planned virtual program will be retained and enhanced with a rich line-up of presentations, talks and discussions including - but not limited to - keynote presentations and the technology showcase. 

The event will include a virtual exhibition. The full program will be available on the Infosecurity website shortly. 

Nicole Mills, exhibition director at Infosecurity Group said: “Infosecurity Europe has always been the place where the cybersecurity industry’s finest minds come together to share knowledge, ideas and experiences. While we can’t yet meet in person, we’ll still be bringing the community together this July for a digital only event. We’ve run two very successful virtual conferences over the past year, and we’re ready to deliver a stimulating and insightful program of content, with plenty of opportunities to discuss, debate and discover the best ways to protect organizations and get ahead of cyber-criminals.”

All visitors, exhibitors and press who have already registered for Infosecurity Europe 2021 will be able to access the virtual event. Those that haven’t yet registered can do so here.

Categories: Cyber Risk News